CVE-2022-0932: Improper Authorization in saleor

Title

GraphQL traversal due to missing permission checks

Description

orders and customers fields allow to access each other via nodes edges. However, connections don’t check user’s permissions, which allows, for instance, a staff with just Customers permissions get full information about the order, though direct access is forbidden.

Steps to reproduce

I will use a “Staff without Orders permission” scenario

1. 1. As an admin create a staff, add this account to a group with just Customers permission.

2. 2. As a created staff observe that direct access to the orders is not allowed:

   { “query":"{ orders(first: 10) { edges { node { id } } } }” }

This POST query to http://localhost:8000/graphql/ returns You do not have permission to perform this action.

3. 3. Go to a page of any customer with at least one order and note that UI shows Recent orders with just "No. of Order", "Date", “Status” and “Total” fields. However, if you try to see the full information about an order and click on it , you’ll get Ooops!... Something's missing, as you don’t have enough permissions.

4. Now run this query and receive full information about all orders:

   { “query":"{ customers(first: 10) { edges { node { firstName, orders(first: 10) { edges { node { id, trackingClientId, voucher { id }, giftCards { id }, discount { amount }, discountName, customerNote, weight { value }, metadata { key, value }, fulfillments { id, status }, lines { id, productName, quantity }, actions, total { gross { amount } }, isPaid } } } } } } }” }

The most interesting field here is definitely lines, as it completely leaks the order.

Possible remediation

Though some fields on orders must be visible to a staff with only Customers permission to see the brief info about the last orders, an access to such fields as lines should be restricted.

Impact

This vulnerability is capable of leaking customer’s private information.